Windows Analysis Report
Digital.msi

Overview

General Information

Sample name:	Digital.msi
Analysis ID:	1561808
MD5:	391a7dcf2ff4af032a8de9b5bfc5b7d9
SHA1:	22e2261c6e65f3d95406e66c77d3942d51790417
SHA256:	e652634f90f23553d56fa937227c039f8769f9509051a434a14990785a8ab57f
Tags:	msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AteraAgent

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Creates files in the system32 config directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Digital.msi

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.2% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101FFFh	19_2_00007FFE7D101FCD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101873h	19_2_00007FFE7D10172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101A44h	19_2_00007FFE7D101A34
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E4ECBh	20_2_00007FFE7D0E4DF6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E227Bh	20_2_00007FFE7D0E0C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E4ECBh	20_2_00007FFE7D0E4E45

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49760 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49776 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49913 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49934 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49977 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50052 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49882 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49964 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50073 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49954 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50015 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.7.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digic
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsofty
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl;
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlK
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlV
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AgentPackageAgentInformation.exe.20.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.20.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crln
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlr
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/ec
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.x
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/2
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/D6
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83243D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertT#
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlg5
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crltiCh
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crld
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.19.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8324F5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc572
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc
Source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.mi
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/--4
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.19.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.19.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/Q-
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/U-
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Newtonsoft.Json.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, Newtonsoft.Json.dll.10.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80l
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PR
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pj
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterDj
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsdTAw
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetComm
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback)
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesckd
Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1371274246.000001E3B9475000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375147214.000001E3B9477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.7.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.7.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3RuZ
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81989A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentI
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/pres
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscrib
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-b
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v22
Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372202185.000001E3B945D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac317.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5D4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac319.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac319.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC52A.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_074571D0	11_3_074571D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_07450040	11_3_07450040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF50B8	12_3_04AF50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF59A8	12_3_04AF59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF4D68	12_3_04AF4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D0E0C58	20_2_00007FFE7D0E0C58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC7678	24_3_06EC7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC0040	24_3_06EC0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FFE7D1112CF	25_2_00007FFE7D1112CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 29_2_00007FFE7D0F12CF	29_2_00007FFE7D0F12CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 31_2_00007FFE7D1012CF	31_2_00007FFE7D1012CF

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: Digital.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Digital.msi
Source: Digital.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs Digital.msi
Source: Digital.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs Digital.msi

Source: AteraAgent.exe.7.dr, SignatureValidator.cs

Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'

Source: classification engine

Classification label: mal92.troj.spyw.evad.winMSI@46/83@12/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1520:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF355F8EAD7962411B.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: Digital.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: Digital.msi

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Digital.msi"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: Digital.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.7.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 19_2_00007FFE7D1000BD pushad ; iretd	19_2_00007FFE7D1000C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D0E00BD pushad ; iretd	20_2_00007FFE7D0E00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D2F0F64 push eax; ret	20_2_00007FFE7D2F0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D2F0F38 push eax; ret	20_2_00007FFE7D2F0F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE57B8 push es; ret	24_3_06DE5840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE4E90 push es; ret	24_3_06DE4EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE4EB0 push es; ret	24_3_06DE4EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58D1 push es; ret	24_3_06DE58E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58F0 push es; ret	24_3_06DE5900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58B0 push es; ret	24_3_06DE58C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE5910 push es; ret	24_3_06DE5920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC84A1 push es; ret	24_3_06EC84B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC18F0 push es; ret	24_3_06EC1900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC1961 push es; ret	24_3_06EC1970
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FFE7D1100BD pushad ; iretd	25_2_00007FFE7D1100C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 29_2_00007FFE7D0F00BD pushad ; iretd	29_2_00007FFE7D0F00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 31_2_00007FFE7D1000BD pushad ; iretd	31_2_00007FFE7D1000C1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 207E73F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 207E8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E8195F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E831700000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 206804C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 20698680000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 29FBE770000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 29FD6DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 217F0020000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 217F0600000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6434
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3126

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7532	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7940	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092	Thread sleep count: 6434 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8084	Thread sleep count: 3126 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536	Thread sleep count: 48 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536	Thread sleep time: -480000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7516	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7652	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7844	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2096	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1420	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.20.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: svchost.exe, 00000005.00000002.2524554790.0000024206A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.2524868931.0000024206A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
Source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.2524275259.0000024206A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.2525155471.0000024206B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 25.2.AgentPackageAgentInformation.exe.206ff410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.AteraAgent.exe.207e7090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF2D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E81976F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.000002078017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E71B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE59D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E819027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2537602873.000001E831ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE63B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439443971.00000207E7170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE5A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312948661.00000217F0000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1444334678.00007FFE7D194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2523269176.0000001AB33B5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526833344.000001E818F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526714387.000001E818ED0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1440389283.00000207E74D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF2E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF31C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E7192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685815626.00000206FF510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE5E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1441885494.00000207E98D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138281864.0000029FBE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.0000020680681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439241847.00000207E715C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1442456404.00000207E992C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.00000206806F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E81905D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439241847.00000207E7150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEDF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.000002078008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E71E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF104FF017AE6A1734.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF46B34C8187FE8435.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFD18BD80E6999656A.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\3ac318.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF9363D06770D8B98C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFC8300526DF6F0731.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF355F8EAD7962411B.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE5D4.tmp, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.158.75.4	d25btwd9wax8gu.cloudfront.net	United States		16509	AMAZON-02US	false
13.232.67.198	ps.pndsn.com	United States		16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
ps.pndsn.com	13.232.67.198	true
bg.microsoft.map.fastly.net	199.232.214.172	true
d25btwd9wax8gu.cloudfront.net	108.158.75.4	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
windowsupdatebg.s.llnwi.net	178.79.238.0	true
ps.atera.com	unknown	unknown
agent-api.atera.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6	false	high

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: Digital.msi

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 90.2% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101FFFh	19_2_00007FFE7D101FCD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101873h	19_2_00007FFE7D10172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D101A44h	19_2_00007FFE7D101A34
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E4ECBh	20_2_00007FFE7D0E4DF6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E227Bh	20_2_00007FFE7D0E0C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFE7D0E4ECBh	20_2_00007FFE7D0E4E45

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49760 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49776 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49913 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49934 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49977 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50052 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49882 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49964 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50073 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49954 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50015 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.7.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digic
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: F2E248BEDDBB2D85122423C41028BFD40.20.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsofty
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl;
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlK
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlV
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9612000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AgentPackageAgentInformation.exe.20.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.20.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crln
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlr
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/ec
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.x
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/2
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/D6
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83243D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertT#
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlg5
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crltiCh
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crld
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.20.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.19.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8324F5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc572
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc
Source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.mi
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/--4
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.19.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.19.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/Q-
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/U-
Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Newtonsoft.Json.dll.7.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, Newtonsoft.Json.dll.10.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80l
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PR
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pj
Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterDj
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsdTAw
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetComm
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback)
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesckd
Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1371274246.000001E3B9475000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375147214.000001E3B9477000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.7.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.7.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3RuZ
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81989A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197DF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentI
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/pres
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscrib
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-b
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d
Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v22
Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1372202185.000001E3B945D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49986
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49945 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50053
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50015
Source: unknown	Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown	Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown	Network traffic detected: HTTP traffic on port 49954 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown	Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown	Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49964
Source: unknown	Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 50015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50076
Source: unknown	Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown	Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49986 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown	Network traffic detected: HTTP traffic on port 50083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49955
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49954
Source: unknown	Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown	Network traffic detected: HTTP traffic on port 49955 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49945
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49988

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac317.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5D4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac319.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\3ac319.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIC52A.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_074571D0	11_3_074571D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_07450040	11_3_07450040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF50B8	12_3_04AF50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF59A8	12_3_04AF59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_3_04AF4D68	12_3_04AF4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D0E0C58	20_2_00007FFE7D0E0C58
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC7678	24_3_06EC7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC0040	24_3_06EC0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FFE7D1112CF	25_2_00007FFE7D1112CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 29_2_00007FFE7D0F12CF	29_2_00007FFE7D0F12CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 31_2_00007FFE7D1012CF	31_2_00007FFE7D1012CF

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: Digital.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Digital.msi
Source: Digital.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs Digital.msi
Source: Digital.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs Digital.msi

Source: AteraAgent.exe.7.dr, SignatureValidator.cs

Source: classification engine

Classification label: mal92.troj.spyw.evad.winMSI@46/83@12/2

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1520:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF355F8EAD7962411B.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Source: Digital.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: Digital.msi

ReversingLabs: Detection: 28%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Digital.msi"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: Digital.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
Source:	Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
Source:	Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
Source:	Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.7.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 19_2_00007FFE7D1000BD pushad ; iretd	19_2_00007FFE7D1000C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D0E00BD pushad ; iretd	20_2_00007FFE7D0E00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D2F0F64 push eax; ret	20_2_00007FFE7D2F0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFE7D2F0F38 push eax; ret	20_2_00007FFE7D2F0F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE57B8 push es; ret	24_3_06DE5840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE4E90 push es; ret	24_3_06DE4EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE4EB0 push es; ret	24_3_06DE4EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58D1 push es; ret	24_3_06DE58E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58F0 push es; ret	24_3_06DE5900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE58B0 push es; ret	24_3_06DE58C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06DE5910 push es; ret	24_3_06DE5920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC84A1 push es; ret	24_3_06EC84B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC18F0 push es; ret	24_3_06EC1900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_3_06EC1961 push es; ret	24_3_06EC1970
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 25_2_00007FFE7D1100BD pushad ; iretd	25_2_00007FFE7D1100C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 29_2_00007FFE7D0F00BD pushad ; iretd	29_2_00007FFE7D0F00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 31_2_00007FFE7D1000BD pushad ; iretd	31_2_00007FFE7D1000C1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 207E73F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 207E8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E8195F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E831700000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 206804C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 20698680000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 29FBE770000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 29FD6DF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 217F0020000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 217F0600000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6434
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3126

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE8F4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE5E5.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE77C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7532	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7940	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7896	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092	Thread sleep count: 6434 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8084	Thread sleep count: 3126 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536	Thread sleep count: 48 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536	Thread sleep time: -480000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7488	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7516	Thread sleep time: -270000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 7652	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7844	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7864	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2096	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2860	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1420	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4828	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.20.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
Source: svchost.exe, 00000005.00000002.2524554790.0000024206A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000005.00000002.2524868931.0000024206A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
Source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.2524275259.0000024206A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000005.00000002.2525155471.0000024206B02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0DB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort	Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 25.2.AgentPackageAgentInformation.exe.206ff410000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.AteraAgent.exe.207e7090000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF2D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E81976F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.000002078017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E71B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE59D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E819027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2537602873.000001E831ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE63B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439443971.00000207E7170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE5A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312948661.00000217F0000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1444334678.00007FFE7D194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2523269176.0000001AB33B5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526833344.000001E818F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526714387.000001E818ED0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1440389283.00000207E74D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF2E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685011781.00000206FF31C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E7192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685815626.00000206FF510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE5E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1441885494.00000207E98D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138281864.0000029FBE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2312101938.00000217EFE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.0000020680681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439241847.00000207E715C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1442456404.00000207E992C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.00000206806F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E81905D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2137431429.0000029FBE560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2526996281.000001E818FFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2527764895.000001E819F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439241847.00000207E7150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEE37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2138610160.0000029FBEDF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.000002078008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.2310806719.0000021780083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1439484735.00000207E71E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1437456452.0000020780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7424, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7744, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF104FF017AE6A1734.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF46B34C8187FE8435.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFD18BD80E6999656A.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\3ac318.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF9363D06770D8B98C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFC8300526DF6F0731.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF355F8EAD7962411B.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIE5D4.tmp, type: DROPPED

Windows Analysis Report
Digital.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1561808
Product:	CloudBasic
Start time:	11:15:08
Start date:	24.11.2024
Sample:	Digital.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	391a7dcf2ff4af032a8de9b5bfc5b7d9
SHA1:	22e2261c6e65f3d95406e66c77d3942d51790417
SHA256:	e652634f90f23553d56fa937227c039f8769f9509051a434a14990785a8ab57f
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Windows Analysis Report Digital.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Digital.msi